CUC (6) CUCM (28) Jabber (6) Python (2) Routing (3) Solarwinds Orion NPM (4) switching (1) Video (6) voice (3)

Monday, 18 June 2018

F5 Application Policy Manager Authentication using AD

Apart from a F5 BIG-IP being an awesome load balancer with all sorts of VIPs and SSL offloading capabilities, it is also capable of providing VPN and portal capabilities. These capabilities are configured under the Access Policy tab of your F5 and become available once the correct license is installed. To find out your licensed entitlements, go to SYSTEM > License.

Ok, so let's assume you want to give external users (or roaming users) access to some sort of web portal, that is facing the internet (for instance a website for your employees to enter their time sheets, or some ordering tool for your sales force, could be anything).

So the first thing you will need to do is set up your authentication, for this example we will use Active Directory as our source for authentication.

Authentication using Active Directory:

In your access policy tab, go to AAA servers > Active directory (please note that you can also chooose LDAP, RADIUS, TACACS, SAML and a few more).

Essentially, you will now add 1 or more AD servers to a pool that the access profile (next step) can point to. The F5 will use a service account to allow credentials checks on AD. This of course will need to be pre-provisioned in AD.

Access policy configuration.

Below is a screenshot of an access policy called SSO_portal.

Figure 1, access policy configuration

I have added two AAA active directory pools: aaa_ad and aaa_r.

Apart from the AAA servers, all the smarts lie in the actual policy itself. In figure 1, this policy can be view through the visual policy editor. So lets have a look at the actual policy

Figure 2. Visual policy editor
As you can see in the policy above, the first check is that of the IP address of the party that is trying to log in. Based on that WebAuth, or Kerberos is used and Webauth for all others (Fallback). After this the userID is checked, to see if it is part of a certain predefined AD group. If it is, the authentication is successful and the authentication is ALLOWED (figure 2 , right hand side)

Fig.3 SSO authentication domain

Apply the Access policy to the LTM VIP

of course the access policy will need to be applied to a VIP. because this will actually land the traffic on the F5 platform. I like to look at a VIP as some sort of socket that you can plug into the F5 so it can apply smarts.
Below is  a screenshot of part of the Virtual Server configuration in LTM, here the previously configured Access Profile "SSO_Portal" is assigned to the VIP

Access Policy Reporting.

In order to troubleshoot user not being able to log into your application for some reason, the access policy reporting page on the BIG-IP is a good resource for trying to figure out why. Son on your BIG-IP got to Access Policy > Reports >View Reports. As can be seen  in figure 5, my login with user ID "mink" failed

Figure 5 -Denied access
Please note that these reports are run per partition, so run the report for the partition, your VIP is running on. To view the details on how the access policy flow is applied against the login attempt; click on session ID details.

No comments:

Post a Comment